[image: colorfulbackground.png] Following the success of our first RiskBowl Live session on wholesale credit risk modelling, we are delighted to announce our second get together on Model Risk & AI, to be held in late September 2025 A moderated roundtable for Model Risk industry leaders to be held our Marylebone offices to share perspectives and discuss pressing topics under Chatham House Rules. Spaces are limited, so reach out to book your place

Conversations with our clients reveal the imperative of realizing the benefits from the promise of digitally transforming credit decisioning and lending journeys, driven by the need to control bank costs and retain customer loyalty in the face of competition from more nimble, digitally-native banks To better understand current trajectories in the lending transformation space, Oliver Wyman conducted a survey of banks across several markets, looking at the overarching burning platform, budgets, barriers to transformation, data, analytics, underlying technology, customer management, and organisational setup. In summary, our high-level, selected findings indicate Lending transformation is a high priority topic, with participants sequencing Retail and SME first in their lending transformation programs Respondents see the traditional incumbent breakthrough as the biggest competitive threat over the new fintech challenger looming on the horizon Decisioning time, revenue growth and cost reduction cited as top 3 benefits, whilst expected uplift is highest for customer experience Budget for lending allocation is approached on program level or on individual level, with very few respondents approaching it as a strategic objective Most budget is spent on customer journeys, internal workflows and underlying IT infrastructure rather than analytics capabilities [image: 1732202451766-lending-transformation-survey-infographic.png] Reach out for more insight, but we’d be keen to hear from the RiskbOWl community how this stacks up against your lending transformation program – post your thoughts below !

Bundesbank calls for a simpler—CET1 centric—capital stack for euro area banks Germany’s Bundesbank has tabled a set of options to strip back the euro area’s “maze” of bank capital rules, arguing that complexity is hobbling the very buffers meant to be used in stress. In a keynote on 12 September 2025, President Joachim Nagel urged EU policymakers to consolidate requirements, clarify what counts for going versus gone concern loss absorption, and make more of the system explicitly releasable in a downturn—without lowering resilience What the Bundesbank is putting on the table Nagel outlined three core simplification moves and a proportionality strand: Two core requirements, met entirely with CET1. Today’s parallel minimum ratios and add ons would be pared back so the going concern stack speaks in one language: common equity Re assign AT1 and Tier 2 to “gone concern” use only. Subordinated instruments would serve resolution needs (MREL/TLAC), rather than padding day to day requirements that banks try to meet in steady state Merge the CCyB and SyRB into a single, releasable buffer. That would make drawdowns more credible when macro conditions sour A cleaner, lighter regime for small, non complex banks. Proportionality is a repeated theme across the speech and the conference framing The push comes with an explicit health warning: simplification is not deregulation. In a companion essay, a Bundesbank executive board member called for Europe’s overlapping “stacks” to be made transparent and usable, not looser How this fits into the EU rulebook (Basel III finalisation, SSM/SRB) The proposals would land on top of CRR3/CRD6, the EU’s final Basel III package that entered into application on 1 January 2025 (with some phased elements). Under current law, Pillar 1 minima remain CET1 4.5%, Tier 1 6%, total capital 8%, with buffers (the CBR) made of CET1 and added via the CRD, plus SSM set Pillar 2 overlays and guidance. Any shift to a CET1 only going concern stack and a single releasable buffer would therefore require legislative changes in Brussels and coordination with supervisors and the Single Resolution Board A stricter separation of prudential (Pillar 1, Pillar 2, CBR/P2G) and resolution (MREL/TLAC) is also squarely in line with concerns the SRB and ESRB have flagged: as frameworks overlap, capital that looks releasable on paper can be trapped by parallel minimums in practice (including leverage and MREL expressed in LRE). The Bundesbank’s blueprint would try to eliminate that double counting Why now: the problem of buffer usability (stated and implicit goals) Stated goals are usability and clarity: if buffers cannot be drawn without breaching some other binding constraint—or if banks fear market or supervisory stigma—the buffer concept breaks. The Basel Committee and ESRB have documented these frictions; the ECB/ESRB also advocate building releasable space early in the cycle via a “positive neutral” CCyB. The Bundesbank proposals closely echo that logic Implicit goals are competitiveness and coherence. EU banks face higher complexity costs and, at the margin, less usable headroom than some peers. Simplifying the stack while tilting going concern requirements toward pure CET1 could improve comparability with other jurisdictions, especially as the US reworks its “Basel endgame” and leans into domestic recalibration Early reactions ECB/SSM Chief Supervisor Claudia Buch has been championing “simplification without deregulation,” backed by a High Level Task Force chaired by Luis de Guindos to sift practical proposals across prudential, supervisory and reporting domains. Messaging from ECB supervisors consistently ties simplification to SREP process reform, not lower capital EBA and SRB The EBA’s 2024 report mapped EU stacking orders (Pillar 1/2, buffers, leverage, MREL) and stopped short of recommending immediate rule changes, but it underscores how stack interactions can bind. The SRB has warned explicitly that overlap can limit buffer usability Industry The European Banking Federation’s “Simply Competitive” campaign urges cutting regulatory complexity as a competitiveness priority—language that dovetails with the Bundesbank pitch while also pushing for broader policy changes Parliament/think tanks A recent European Parliament study on banking competitiveness calls for simpler capital/loss absorbency requirements and more centralised macroprudential decision making in the Banking Union Markets There was no discrete price move tied to the speech; Euro STOXX Banks rose +0.12% on 12 Sept, with subsequent sector moves dominated by macro newsflow. That points to a policy story unfolding over months, not days Consistency with past Bundesbank/ECB positions The Bundesbank has historically backed full, faithful Basel implementation and published regular impact updates. Its 2024 assessment put the CRR3/CRD6 driven increase in minimum required capital for a German sample at ~3.3% by 2030 (phase in), reinforcing a resilience first stance. The new initiative targets architecture and usability, not lower capital. On the ECB side, recent speeches and blogs emphasise stable methodologies, more proportionality for small banks, and process simplification—again, not a reduction in prudential strength What would change if the ideas advance? Bank stability A CET1 only going concern stack could raise the quality of loss absorbing resources and make drawdowns clearer in stress, at the cost of transition pressure for banks that currently rely on AT1/T2 to meet Pillar 2 requirements. The payoff is a more credible “use it when needed” buffer design Resolution credibility Ring fencing gone concern resources in MREL/TLAC and removing overlaps with prudential buffers would clarify the hierarchy of loss absorption, potentially strengthening resolution planning and investor signalling. But it would likely reprice AT1/T2 as their role is narrowed Competitiveness and costs Less stacking order confusion and fewer composition rules can reduce compliance friction and free headroom that is actually usable, which industry argues matters for credit supply. The ECB and ESRB’s push for releasable capital supports this direction, provided overall resilience is preserved Legislative pathway Delivering any of this requires EU co legislation (CRR/CRD and potentially SRMR/BRRD changes) and detailed alignment across SSM and SRB methodologies. With the ECB task force work ongoing, observers expect an initial simplification package for lawmakers’ consideration around year end. Timelines and calibration will be the politics Analytical context: today’s stack and why it binds Under the current EU framework, banks satisfy Pillar 1 minimums (CET1/T1/TC), then layer on Pillar 2 Requirements (P2R), the combined buffer requirement (CBR)—made of the capital conservation buffer, countercyclical buffer, systemic risk buffer, and G SII/O SII buffers—and Pillar 2 Guidance (P2G). In parallel sit the leverage ratio minimum and MREL under the resolution regime. This is the source of multi restrictiveness: dipping into the CBR can trip leverage or MREL constraints, rendering buffers de facto unusable without supervisory waivers and potential market penalties. The Bundesbank’s CET1 only going concern idea and single releasable buffer are designed to untie those knots What to watch next Text and calibration The Bundesbank has posted the speech entry and BIS transcript; watch for the full text and any follow up technical notes spelling out the two CET1 metrics, leverage interaction, and transition ECB task force deliverables How far will the de Guindos task force go on buffer releasability, P2R/P2G composition, and prudential resolution separation—and what needs co legislation? Macroprudential governance If CCyB and SyRB merge into a single tool, who sets and releases it—national authorities, the ECB, or a hybrid within the Banking Union? The ECB/ESRB “positive neutral” agenda is the analytical backdrop AT1/T2 markets A pivot to gone concern only could reshape issuance and pricing of AT1/T2, affecting banks’ funding mixes and WACC Level playing field The US is rewriting its capital package; any EU simplification will be measured against that and the UK’s evolving approach

Since we wrote about geopolitical risk last year, we have seen industry practice evolve and we felt an update is warranted. Over the past six months, geopolitical risk has evolved from a peripheral factor to a structural dimension of enterprise risk management. Across client engagements in Europe, the US, and APAC, we observe a clear shift: leading banks are beginning to treat geopolitical uncertainty not just as a backdrop to macroeconomic scenarios or part of the Country Risk Teams, but as a direct risk driver. The change is being accelerated by supervisory focus—particularly in Europe. Institutions are expected to treat geopolitical developments as a material influence on their risk profile, both from a financial and non-financial perspective. The ECB has elevated this expectation as part of its core supervisory agenda for 2025–2027, which is already shaping risk steering discussions at board level. At a practical level, we see three main developments gaining traction: Geopolitical risk is becoming multi-dimensional. It's no longer confined to sovereign credit or country risk. The emerging practice is clear: geopolitical risk must be treated not as a siloed topic, but as a cross-cutting input into enterprise steering—from risk appetite to capital strategy, from third-party governance to digital infrastructure planning. Operational exposure is moving to the forefront. With increasing tension in global trade, the resilience of core operations—especially IT and critical vendor networks—is under renewed scrutiny. Cybersecurity, cloud sovereignty, and compliance with regional digital sovereignty laws (e.g. DORA) are now viewed through a geopolitical lens. Risk management approaches are becoming more forward-thinking. Rather than waiting for events to materialize, banks are building structured response capabilities based on scenario analysis, cross-functional simulations, and targeted early-warning frameworks. In conversations with risk and strategy executives across global banks, a common theme is emerging: the need to move from fragmented, reactive risk tracking to a coherent and mature, cross-functional framework that embeds geopolitical thinking into core risk processes. [image: 1753805641026-d0f2aaf0-a352-4ff7-9158-5d46bf252bce-image.png] Figure 1: Oliver Wyman Geopolitical Risk Management Framework While practices vary widely, two elements are consistently present among institutions leading the field, which we describe below: top-down portfolio scans for geopolitical sensitivity, and crisis simulation. Top-Down Portfolio Scans for Geopolitical Sensitivity Before banks can simulate or plan for geopolitical disruption, they need clarity on where they are most exposed. That requires a structured, top-down portfolio view—not just of credit and market exposures, but of operational and third-party dependencies that could be vulnerable to geopolitical shifts. Risk measurement and quantification have also made progress, where top-down portfolio analysis is typically the starting point to prioritize efforts across the existing risk types. When starting with the analysis, the selection of portfolio scope is the first determinant. Peers are typically starting with the lending, securities and deposits portfolio on group level. When defining the scenarios for the portfolio assessment institutions employ a small set of intuitive, high-level geopolitical risk scenarios such as increasing trade and investment restrictions. The portfolio segmentation is analyzed for vulnerability to 1st and selected 2nd order effects (especially energy / commodity prices and supply chain disruptions). For the top-down portfolio assessment, most institutions conduct a qualitative impact assessment, clearly identifying relevant risk drivers for the respective primary risk types. Multi-format crisis simulation Once sensitive exposure areas are identified, banks can run simulations to assess how geopolitical events would affect their operations, risk profile, and strategic posture. This is no longer a theoretical exercise. Take the energy-related grid shutdown in Spain, Portugal and France earlier this year. While the root causes were not directly geopolitical, the systemic impact mirrored what could happen in a true geopolitical escalation—forcing multiple banks to activate contingency procedures, reroute processing, and adjust liquidity buffers in real-time. Crisis simulations with geopolitical triggers serve three key purposes: They test multi-dimensional resilience—from financial metrics (capital, liquidity) to operational continuity and reputational response; They sharpen cross-functional preparedness: involving risk, IT, legal, communications, and business continuity teams in a coordinated stress response; and They surface second- and third-order effects—such as delays in reporting due to system outages, failure of key vendors in conflict regions, or jurisdictional clashes over regulatory compliance Depending on the institution’s maturity and exposure, a range of simulation formats is currently being used, from tabletop exercises for initial risk awareness and coordination, through war-gaming scenarios that simulate adversarial moves across regulatory or geopolitical dimensions, all the way to full-scale crisis simulations, including real-time decision-making, interdepartmental coordination, and post-mortem analysis. We are experiencing a new wave of tariff announcements and conflict in the Middle East. While short-term uncertainty may dominate headlines, leading institutions treat it as a catalyst for deliberate, long-term positioning. Key structural shifts—around global alignment, digital sovereignty, and economic fragmentation—require active engagement and banks are using this phase to start building lasting resilience through governance, scenario design, and strategic alignment.

Are you building internal models for FIRB segments? E.g. FIs, Large corps are FIRB in B3.1, are you planning to use your internal models for these segments? How does it align with use-test requirement from PRA

CFO functions across institutions (and indeed, across industries) share common pain points (data, regulatory overload, change fatigue, etc.) at a time when they face significant cost challenges – especially as the CFO is expected to lead by example within the organisation How do you choose between the effectiveness and efficiency of the Finance function? We believe this is the wrong question, a false trade-off. The best-in-class Finance functions can achieve greater effectiveness and efficiency in tandem In our latest OW Treasures, we explore how to tackle this challenge and drive the Finance of the Future - we’d love to hear your thoughts [image: 1759315911785-c6888084-1e94-4277-8961-fe7ddb7a07a0-image-resized.png]

Beyond Box-Ticking: Strategic Consequences of the EU’s AML Authority The establishment of the EU Anti-Money Laundering Authority (AMLA) under Regulation (EU) 2024/1620 marks the most significant change in the bloc’s approach to financial crime since the first AML Directives. Tasked with directly supervising high-risk, cross-border financial institutions and coordinating national authorities, AMLA will reshape compliance standards, operational structures, and business models. This article analyses the regulatory framework, timeline, and impacts on banks across the EU from 2024 to 2028. Key implications include higher compliance costs, harmonised supervisory expectations, closer scrutiny of crypto-asset service providers, and opportunities for early movers to leverage compliance excellence as a competitive advantage Why the AMLA was created Europe’s AML/CFT regime has long suffered from fragmented national implementation of directives, uneven supervision, and weak enforcement. Scandals involving large banks highlighted gaps in cross-border coordination and beneficial ownership transparency. To align with FATF expectations and restore confidence in the single market, the Commission’s 2021 AML package introduced a Single Rulebook (Regulation (EU) 2024/1624), a new Directive (AMLD6), and AMLA as a central authority Legal Framework: AMLA’s statutory powers, supervisory scope, and enforcement tools Core Legal Basis Regulation (EU) 2024/1620 establishes AMLA, conferring on it powers to directly supervise “selected obliged entities” in the financial sector, coordinate and oversee AML/CFT supervision across Member States, support and coordinate Financial Intelligence Units (FIUs), issue guidelines, regulatory technical standards, recommendations, and enforce its own decisions in certain cases The AML Package includes the AML Regulation (EU) 2024/1624 (providing a Single Rulebook), AML Directive (EU) 2024/1640 (AMLD6), and other instruments (e.g. for transfers of funds / crypto transfers). These combine to broaden obligations and reduce national discretion Supervisory Scope AMLA will have two main supervisory modalities Direct supervision of selected obliged entities, which are financial sector entities (credit institutions, investment firms, insurance undertakings, crypto-asset service providers, etc.), satisfying criteria of: Operations in at least six EU Member States (by branch or via freedom to provide services) A high ML/TF risk profile as assessed by AMLA (“inherent” and “residual” risk) First selection expected to cover around 40 entities/groups, with selection every 3 years Indirect supervision / Coordination / Convergence: For all other obliged entities, supervision remains with national authorities, but AMLA will set binding technical standards (via Regulation), issue guidelines and recommendations, conduct annual or periodic reviews of supervisory authorities’ performance, coordinate peer reviews, facilitate cooperation among FIUs, resolving supervisory disagreements cross-border, etc. Enforcement Tools For selected obliged entities, AMLA will have administrative measures including orders for corrective measures, temporary bans on persons, etc. Ability to impose pecuniary sanctions for serious, repeated or systematic breaches of the AML Regulation, including periodic penalty payments to ensure compliance Transparency: public naming of decisions in certain cases. National authorities for non-selected entities will be expected to follow AMLA guidelines. AMLA may issue warnings if a Member State fails to correctly apply EU rules Other Powers Monitoring and assessing ML/TF risks in the EU internal market and wider world; gathering data; establishing a central information database accessible to national and EU supervisors Overseeing FIUs: facilitating joint analyses of suspicious cross-border transactions, improving secure information exchange (FIU.net), training, technical / IT support [image: 1759221598016-amla-1-resized.png] Transitional arrangements will include grace periods for some obligations, phasing of enforcement powers, and continuing national supervision (with cooperation) until direct supervision kicks in. Entities selected will likely receive notice ahead of time and have reasonable notice to adjust. Some technical standards / guidelines will apply from earlier dates or upon issuance Operational Impacts for Banks Banks and other obliged entities will need to adjust multiple aspects of their compliance operations. Key areas where operational impacts are likely (2024-2028): Customer Due Diligence (CDD) Stricter beneficial ownership requirements under AMLD6 Enhanced due diligence for politically exposed persons (PEPs), high-risk jurisdictions, cross-border/onboarding of clients in other Member States. The risk-based approach will be standardised across the EU, reducing margin for national variation More detailed ongoing monitoring obligations, review of residual risk, more frequent updates to CDD records Transaction Monitoring and Suspicious Transaction Reports (STRs) Given AMLA’s mandate over joint analyses (FIU cooperation) and monitoring, banks will need to ensure transaction monitoring systems are capable of producing information that supports cross-border patterns, large and complex transactions, crypto flows, etc. STR submission standards may become more unified; expectations for timeliness, quality, and use of analytics will increase Sanctions Screening Integration of sanctions compliance with AML/CFT obligations will become even more crucial, particularly since AMLA’s powers include ensuring selected obliged entities have appropriate internal policies for targeted financial sanctions, asset freezes etc. Increased overlap among AML, CFT, sanctions regimes (national, EU, international) will require more centralised functions in many banks Crypto-Asset Service Providers (CASPs) Oversight CASPs are expressly included as possible “selected obliged entities.” They will be subject to direct supervision if they meet cross-border / risk criteria Even for non-selected CASPs, the indirect supervision and technical standards will raise the floor, requiring improved controls, transaction traceability, monitoring of crypto-asset transfers Data and IT AMLA will maintain a central information database; banks will need to ensure data compatibility, submission of required data, quality, timeliness Upgrading or enhancing transaction monitoring systems, STR analytics, AI/ML tools; cross-border data flow infrastructure; strong model governance Onboarding/ Offboarding Uniform rules will reduce some of the friction caused by national differences, but the cost of adjusting onboarding policies, risk classification, escalation procedures, enhanced due diligence will be non-trivial. Offboarding (client exit) decisions may be more scrutinised in cross-border / high risk settings [image: 1759221884524-amla-2-resized.png] Drivers of cost System and data architecture upgrades (including analytics, AI/ML, cross-border data flows) Hiring or reallocating compliance, legal, risk personnel; possibly setting up dedicated “AMLA preparation/ liaison” functions Training and change management across country teams and business lines Remediation of past weaknesses: e.g. beneficial ownership, lack of consistent policies, documentation gaps External advisory, audit / validation cost Savings / possible offsets Over time, standardisation may reduce duplicated effort across national jurisdictions Shared services (e.g. central transaction monitoring, vendor-provided screening) may achieve economies of scale Improved automation, better analytics reducing false positives or inefficiencies Strategic Business Model Implications Cross-Border Operations and Correspondent Banking Banks with large cross-border footprints will be under direct AMLA supervision; this increases risk (regulatory, compliance, reputational) but also relative advantage for those who perform well Correspondent banking relationships may be scrutinised more closely; some banks may “de-risk” by terminating or reducing exposure to jurisdictions or partners with weak AML/CFT track records. This would reduce correspondent banking network densities Crypto Services Firms engaged in crypto-asset services are part of the scope; those with cross-border operations and high risk are likely to be directly supervised. Crypto service providers and the financial institutions that interface with them will need to close gaps in transfer traceability, origin/destination controls, screening, etc. Client Onboarding/ Offboarding Stricter uniform CDD and enhanced due diligence will likely slow onboarding for high risk / cross-border / crypto clients Banks may re-evaluate acceptance criteria. Offboarding decisions may become riskier, especially in jurisdictions or with clients triggering systemic risk Reputation, Risk Appetite and Business Lines Reputational risk will amplify failures in AMLA’s directly supervised entities will likely draw EU-level attention and public naming; non-selected entities, while under national supervision, will still face scrutiny via AMLA’s reports, peer reviews, etc. Banks may adjust risk appetite: reduce exposures in high-risk jurisdictions; shift business lines less exposed to ML/TF risks Competitive Opportunity Those banks that prepare early and demonstrate strong AML/CFT frameworks may benefit lower cost of compliance in the medium term Ability to serve high risk clients more credibly; help with cross-border business; possible regulatory “trust premium.” Governance and Organisational Change Risk appetite & oversight: Boards and senior management must engage more directly; AML/CFT must be elevated in enterprise risk frameworks, with clearer metrics, KPIs Lines of defence: First, second, third lines will need clearer roles: compliance units, internal audit, legal will need to coordinate; possibly new roles for liaison with AMLA; stronger independence Incident response: Prepare for more inspections / audits; better readiness for regulatory investigations; crisis communications (reuse of reputational risk) Shared services: Many banks will centralise compliance functions to avoid duplication across regions; consider internal centres for excellence Technology and Data Requirements Standardisation: Uniform data definitions, standardised risk scoring, harmonised reporting templates across EU; data models that meet AMLA’s technical standards Analytics / machine learning tools: To detect cross-border suspicious patterns, large transaction volumes, crypto flows, link networks of entities FIU integration and secure data exchange: Banks must ensure that systems can interoperate with FIU requirements, central database; privacy and security; resilience Model governance: More robust validation of AML/CTF models; oversight of AI/ML components; assurance of explainability particularly under enforcement. Operational infrastructure: Real-time or near-real time screening (transaction, sanction, PEP etc.), scalable data storage, audit trails [image: 1759225380772-amla-3-resized.png] Recommendations: Strategic Priorities for Banks To manage the transition and exploit opportunities, banks should consider the following strategic priorities: Short-Term (2024-2026) Gap analysis / readiness audit: assess current AML/CFT frameworks against AML Regulation / AMLD6 / AMLA draft technical standards; especially for cross-border operations, CDD, sanctions, crypto Stakeholder mapping and liaison: identify whether bank is likely to become a selected obliged entity; engage with national regulators; monitor AMLA’s upcoming guidelines / selection criteria Data and systems inventory: map data flows, reporting, IT systems; identify gaps for traceability, cross-border transaction monitoring Resourcing plan: estimate additional staff, budget, and external support needed; hire or train early; plan for centralization or shared services where possible Policy standardisation across jurisdictions: harmonise internal policies, risk classification, onboarding/offboarding, PEP/ sanctions screening to reduce divergence Medium-Term (2026-2028) Implement technical tools: deploy or upgrade transaction monitoring, AI/ML, analytics for cross-border suspicious patterns; build pipelines for large data sets; enhance model governance Compliance culture and training: firm-wide training; embed AML/CFT in business line planning; set measurable KPIs; align incentives Scenario planning and stress testing: simulate supervisory inspections, enforcement; test readiness for adverse events (e.g. failed STRs, sanctions breaches) Strategic portfolio review: re-evaluate correspondent banking relationships; exposure to high risk jurisdictions; consider withdrawing or offboarding where risk excessive or cost outweighs benefit Collaboration and industry engagement: engage with peers, trade associations, FIUs; monitor AMLA / EU-level regulatory discussions; possibly influence upcoming technical standards Long-Term (2028 and beyond) Embed continuous improvement: establish a cycle of review, benchmarking against best practices, adapting to evolving ML/TF threats (crypto, AI/tech-enabled crime) Leverage harmonisation for competitive advantage: streamline cross-border services; reduce internal friction; offer clients more consistent experiences across Member States Invest in resilient infrastructure: ensure data privacy / cybersecurity; robust disaster recovery; compliance with technological and regulatory evolution (e.g. blockchain, cross-border payments) [image: 1759227604985-amla-4-resized.png] AMLA introduces a new, more centralised, harmonised and enforceable regime for AML/CFT in the EU. For banks, especially those with cross-border profiles, the period 2024-2028 will be one of substantial operational, strategic and financial change. The chief challenges are in upgrading data, systems and processes; managing cost; aligning risk appetite; and preparing for stronger enforcement. But banks that act early—auditing their current state, investing in technology and governance, and shaping their policies to meet the new rulebook—can not only avoid penalties, but gain competitive advantage in a higher transparency, lower arbitrage regime. Leadership should treat AMLA not simply as a compliance burden but as a strategic inflection point: one that may reshape business models, product offerings, and cross-border strategy for years to come

@OP In my experience, it typically depends on the bank's approach to the override: Pre-calibration would typically be included if they are trying to include is as an statistical predictor of risk: i.e. you have some historical information that help you calibrate the specific weight and you only include the override if it increases the predictive ability of the model Post-calibration if they want it to be a “penalization” mechanism for management (however this will not be fully compliant with EBA calibration guidelines for the use of overrides in IRB models)

In the context of the 2025 EBA Stress Testing exercise we’ve convened our sixth EBA Stress Test industry roundtable, involving representatives from 25 of the largest European banking institutions across ten countries. While each bank is looking to approach the stress testing exercise from its own unique perspective, we’ve found that two common trends seemed to emerge: Banks expect the anticipated depletion of the Common Equity Tier 1 (CET1) ratio under adverse scenarios to align closely with the outcomes seen in 2023. Banks see the operational complexity of the exercise as their main challenge. Participants were concerned about potential CRR3 re-statements (particularly the difficulty in accurately projecting a CRR3 Fully Loaded framework that incorporates all CRR3 phase-ins expected by 2032) as well as the need for top-down calculations to estimate CRR3 compliant RWAs, which could complicate reconciliation efforts and impact result accuracy. Other concerns raised by participants included the new timeline and significant changes to Quality Assurance processes - especially regarding potential on-site visits and inspections by the European Central Bank (ECB) - and the unpredictability of the new Net Interest Income (NII) platform and Quality Assurance machinery, which banks believe leaves them with less control over projections and adds to the uncertainty of the exercise. Overall, it was insightful to see how given the inherent complexity of the exercise participants agreed on the need for thorough upfront preparation and a robust end-to-end stress testing infrastructure as conditions to success. What are the main concerns at your organisation? How do you feel your competitors will react to EBA’s requirements for this year’s stress testing? Graphics: How Oliver Wyman supports Financial Institutions carry out stress testing: [image: 1742826199933-cc0303ff-d517-49f9-b22c-e6d2071f1964-image.png]

[image: 1760030643277-picutre.jpg.png] On 9th October 2025 we held our latest RiskBowl Live roundtable with participants from 10 banks and building societies, alongside two of our senior advisors: Colin Jennings (ex-PRA and ex-CRO) and Lukasz Szpruch (The Alan Turing Institute). This roundtable brought together senior heads of Model Risk Management to take stock of where banks are on managing the model risk of AI and discuss their convergence towards full compliance with SS1/23. The discussion confirmed a common trajectory: an early phase of AI modelling experimentation has exposed structural gaps — in taxonomy, inventory management, model monitoring and validation — that now require a coordinated effort to make bank-wide AI use safe, auditable and scalable across firms. Firms have welcomed the clarity and the heightened stature of Model Risk in the firm’s risk taxonomy, and are using its guiding principles to coordinate said effort. Key takeaways from the discussion are presented below: Managing the model risk of AI • Experimentation to consolidation: participants described an early period of numerous disjointed pilots and recommend grouping similar use cases to scale efficiently rather than proliferate ad hoc AI projects • Use case specific governance: high risk algorithmic/decisioning use cases require materially different controls from low risk productivity tools; a one size governance model is insufficient • New tech stack & MRM implications: generative AI brings dependencies that must be formally approved and governed. These create integration and approval work that traditional MRM processes were not designed to cover. • Skills and vendor risk gaps: many teams or vendors originate outside banking and lack knowledge of bank’s processes, compliance expectations, and model lifecycle controls; stronger third party standards and onboarding are needed • Model classification ambiguity: simple assistive tools (e.g., grammar correction) may fall outside current model definitions, while some AI systems sit partially within model risk remit—creating uncertainty about monitoring and ownership • Committee and oversight design: avoid duplication of oversight bodies — firms must clarify roles between existing model risk committees and any AI monitoring forums • Quantitative monitoring and human AI controls: firms want monitoring frameworks capturing model and human performance, with defined escalation triggers and the ability to switch to automated testing based on scale and level of risk Convergence towards compliance with SS1/23 • Raised standards and visibility: SS1/23 has driven broader Model Risk visibility within firms and heightened board awareness • Material operational uplift: documenting and managing additional models and DQMs in scope is increasing resourcing and cost materially — firms reported significant headcount increase and process redevelopment • Definition and scope tensions: debate continues on what counts as a model (quantitative, deterministic, qualitative outputs, agentic behaviours) and on incentives to classify or de classify to manage control and operational burden • Validation and ownership challenges: validating qualitative and AI enabled outputs is resource intensive; teams need clarity on who conducts testing (first line, MRM, or specialist validation units) and on practical monitoring cadences • Ongoing dialogue required: participants agreed continued cross firm engagement and proactive regulatory conversations are necessary to align interpretations and reduce operational fragmentation between firms and subsidiaries Cem Dedeaga Partner, Head of Risk Modelling UK&I cem.dedeaga@oliverwyman.com Matias Coggiola Senior Manager, MRM lead matias.coggiola@oliverwyman.com Download the above as PDF by clicking on the link here: 20251009_MRM_Roundtable_Summary_vF.pdf

Hi RisbOWl community. I have been thinking lately about the dynamics of the working relationship with 2nd and 3 LOD from a 1LoD perspective. While there is much talk about these dynamics from a high-level, ERM or governance perspective, those of us who are in involved more on the day to day interactions need to make sure we 'walk the talk'. While clear, continued communication is key, I have found the use of shared resources (such as evidence repositories, plans, collaborative query logs, etc) have really made a difference in the relationship we have built with our validators in the second line of defence. What does the community think about common techniques for increasing cross-line of defence productivity. Thank you in advance.

Lights, Camera, Compliance! Imagine you’re in a high-stakes thriller, much like Inception. Just as Cobb and his team navigate complex dream layers, banks and financial institutions today are navigating the intricate layers of BCBS 239. But instead of dreams, they’re dealing with data and the regulation that aims to enhance risk data aggregation and reporting capabilities. What is BCBS 239? At its core, BCBS 239, introduced by the Basel Committee on Banking Supervision, is a set of principles designed to ensure that banks can effectively manage risk through accurate and timely data reporting. Think of it as the ultimate guide for navigating the labyrinth of financial data, ensuring that institutions can make informed decisions and respond swiftly to crises. The Challenges: A Real-Life Drama However, just like in a good movie, the path to compliance is fraught with challenges. Here are a few key hurdles that institutions face: Data Silos: Many banks operate with fragmented data systems, akin to a band struggling to harmonize. Each department has its own version of the truth, making it difficult to achieve a cohesive view of risk exposure Legacy Systems: Picture a classic car that’s seen better days. Many institutions rely on outdated technology that hampers their ability to aggregate and report data efficiently, making compliance feel like an uphill battle Cultural Resistance: Change is hard, much like a character in a romantic comedy who refuses to acknowledge their feelings. Employees may resist new processes and technologies, fearing disruption to their routine Regulatory Complexity: The regulatory landscape is constantly evolving, much like the plot twists in a suspense thriller. Keeping up with these changes requires agility and foresight, which can be a daunting task for many organizations. The Road Ahead So, how can institutions turn this potential drama into a success story? Here are a few actionable steps Invest in Technology: Embrace modern data management solutions that break down silos and streamline reporting processes. Foster a Culture of Compliance: Engage employees at all levels, emphasizing the importance of accurate data for decision-making and risk management. Stay Agile: Regularly review and adapt to regulatory changes, ensuring that your compliance strategies remain robust and effective. While BCBS 239 presents its challenges, it also offers an opportunity for banks to enhance their risk management frameworks. By embracing the journey with the right tools and mindset, institutions can transform compliance from a burden into a strategic advantage. Let’s continue this conversation! What challenges have you faced in navigating BCBS 239? How have you overcome them? Share your thoughts below!